Hello,
We are pleased to announce a new Flatcar Container Linux release for the Alpha, Beta, Stable, LTS channel.
New Alpha Release 3665.0.0Changes since Alpha 3654.0.0
Security fixes:Changes:
Dropped support for niftycloud and interoute. For interoute we haven’t been generating the images for some time already.
Updates:New Beta Release 3602.1.3Changes since Beta 3602.1.2
Updates:New Stable Release 3510.2.5Changes since Stable 3510.2.4
Security fixes:Bug fixes:- Resolved the conflicting FD usage of libselinux and systemd which caused, e.g., a systemd crash on certain watchdog interaction during shutdown (patch in systemd 252.11)
Updates:New LTS Release 3033.3.15Changes since LTS 3033.3.14
Security fixes:Bug fixes:Changes:- Changed ext4 inode size of root partition to 256 bytes. This improves compatibility with applications and is necessary for 2038 readiness (Flatcar#1082)
Updates:Detailed Security ReportSecurity fix: With the Alpha 3665.0.0, Beta 3602.1.3, Stable 3510.2.5, LTS 3033.3.15 release(s) we ship fixes for the CVEs listed below.
Alpha 3665.0.0binutils
- CVE-2022-38533 CVSSv3 score: 5.5(Medium)
In GNU Binutils before 2.40, there is a heap-buffer-overflow in the error function bfd_getl32 when called from the strip_main function in strip-new via a crafted file. - CVE-2022-4285 CVSSv3 score: 5.5(Medium)
An illegal memory access flaw was found in the binutils package. Parsing an ELF file containing corrupt symbol version information may result in a denial of service. This issue is the result of an incomplete fix for CVE-2020-16599. - CVE-2023-1579 CVSSv3 score: 7.8(High)
Heap based buffer overflow in binutils-gdb/bfd/libbfd.c in bfd_getl64. - CVE-2023-2222 CVSSv3 score: n/a
A vulnerability was found in binutils where, objdump SEGV in concat_filename() at dwarf2.c:2060.
ncurses
- CVE-2023-29491 CVSSv3 score: 7.8(High)
ncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable.
protobuf
- CVE-2022-1941 CVSSv3 score: 7.5(High)
A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.
Stable 3510.2.3- Linux
- CVE-2023-3338 CVSSv3 score: 7.5(High)
A flaw null pointer dereference in the Linux kernel DECnet networking protocol was found. A remote user could use this flaw to crash the system. - CVE-2023-3390 CVSSv3 score: n/a
A use-after-free vulnerability was found in the Linux kernel's netfilter subsystem in net/netfilter/nf_tables_api.c.
Mishandled error handling with NFT_MSG_NEWRULE makes it possible to use a dangling pointer in the same transaction causing a use-after-free vulnerability. This flaw allows a local attacker with user access to cause a privilege escalation issue.
We recommend upgrading past commit 1240eb93f0616b21c675416516ff3d74798fdc97.
LTS 3033.3.15- Linux
- CVE-2023-3338 CVSSv3 score: 7.5(High)
A flaw null pointer dereference in the Linux kernel DECnet networking protocol was found. A remote user could use this flaw to crash the system.
Best,
The Flatcar Container Linux Maintainers